CVE-2026-2491

Socomec DIRIS A-40 HTTP API Authentication Bypass Vulnerability

Assigner: zdi
Reserved: 13.02.2026 Published: 13.03.2026 Updated: 13.03.2026

Socomec DIRIS A-40 HTTP API Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Socomec DIRIS A-40 power monitoring devices. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the web API implementation, which listens on TCP port 80 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-23993.

Metrics

CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS Score: 6.3

Attack Vector	Adjacent Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

CVSS 3.0

Product Status

Vendor	Socomec
Product	DIRIS A-40
Versions	Default: unknown Version 1.8.1 is affected

Vendor

Socomec

Product

DIRIS A-40

Versions

Default: unknown

Version 1.8.1 is affected

References

Problem Types

CWE-306: Missing Authentication for Critical Function CWE

CVE-2026-2491 PUBLISHED

Socomec DIRIS A-40 HTTP API Authentication Bypass Vulnerability

Metrics

Product Status

References

Problem Types